Natxo Asenjo wrote:

On Fri, Sep 16, 2016 at 4:22 PM, Rob Crittenden <
<>> wrote:

    The 3 certs you list are the ones that are renewed via the IPA API
    (as opposed to the subsystem certs renewed directly by dogtag). I
    think the failures are all related. I had someone else report the
    CSR decoding failure and he just restarted IPA and that fixes things
    for him though it was a rather unsatisfying fix.

    What I'd do is this. Assuming each step works, move onto the next.

    1. ipa cert-show 1

    The serial # picked more or less at random, we're testing
    connectivity and that the CA is up and operational.

    2. I assume that getcert list | grep expire shows all certs
    currently valid? The IPA service certs expire in a month, how about
    the CA subsystem certs?

    3. Is this the same server having problems talking to the CA due to
    the other NSS errors? If so what I'd do is restart httpd then
    immediately use ipa-getcert to resubmit the requests to try to get
    into that few minute window.

    If this is the same box you already have debugging enabled so seeing
    what that shows might be helpful.


yes, all certs are valid (see attachment getcert.txt).

So I restarted httpd, I could execute ipa cert-show 1 and get an answer,
inmediately after I run

$ sudo ipa-getcert resubmit -i 20121107212513
Resubmitting "20121107212513" to "IPA".

and now the status is the one you see in the attached getcert.txt file.
The server failed request, will retry.

I do not know if it's important, but I saw that the usercertificate
attribute of the pki user admin was expired.1

I attach the error_log of httpd as well.

Ok, how about we work around the problem.

Since it is failing on the revocation what you might try is removing the userCertificate value from the ldap/ service entry.

I think this will work:

$ ipa service-show ldap/ |grep Serial
<note this down for later>

$ ipa service-mod --certificate= ldap/

If this doesn't work you can use ldapmodify to delete the usercertificate value.

This will remove the certificate value so there is nothing to revoke and a new cert will be saved (hopefully).

Now try to resubmit the request via certmonger.

It if works then you can run ipa cert-revooke <old serial #>

It isn't a great answer long-term because it is really just working around the problem but it should get the certs renewed.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to